By Intigriti
May 27, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 15 to 22 of May.
Project Axiom is a set of utilities for deploying and managing your own dynamic infrastructure on Digital Ocean. It includes different commands that you can use to work with VPS instances from the command line. Examples of actions available are launching a VPS instance, backing it up, connecting to it with SSH, deploying a VPN, etc.
An awesome, convenient project for bug hunters, red teamers and pentester!
RCE in Google Cloud Deployment Manager (Google, $31,337.00)
@epereiralopez found an SSRF that led to RCE on Google. Even though this finding required having a really good understanding of Google Cloud Manager, he does an awesome job of explaining everything in this pretty well written and descriptive writeup.
A very recommended read whether you want to learn about SSRF/RCE, getting max bounties on Google, testing Google Cloud Manager, or how to write great writeups!
Smuggling HTTP headers through reverse proxies
@RobinVerton shares a very interesting HTTP header smuggling technique. It exploits differences in how reverse proxies and WSGI frameworks (e.g. Django & Flask) handle header names.
If you’re wondering how this relates to existing HTTP request smuggling research… @albinowax’s techniques involved poisoning Web caches and desynchronizing systems. This new attack focuses on smuggling HTTP headers with the goal of bypassing authentication or account takeovers. It is relatively easier, provided that you know/guess header names.
I’d also recommend checking out this article by The Daily Swig for a high-level summary.
– @Agarri_Fr Talks About Burp Suite, SSRF, Security Research and Learning Web Application Hacking
– Filedescriptor solves Intigriti’s XSS challenge | Exploiting an RPO attack on Firefox
These are two cool videos for anyone interested in Web app hacking and research. @NahamSec interviews @Agarri_FR who specializes in Web app hacking and fuzzing. Even though he does less bug hunting now, he is still well-known for his past research on SSRF and XML fuzzing that is still very relevant and referenced today, and for his unique Burp advanced training. So, it’s nice to get to know him, his learning process, how we manages to find bugs without focusing on recon, how he picks research topics, etc.
In the video writeup, @filedescriptor solves Intigriti’s May XSS challenge. He shows ho to trigger XSS by chaining Relative Path Overwrite (RPO) and Open redirect. A nice opportunity to learn about RPOs and less obvious XSS!
– How to examine iOS network traffic over an iOS cable.
– Penetration Tester’s Guide to Evaluating OAuth 2.0 — Authorization Code Grants
The usual method for proxying iOS traffic through Burp opens a Burp proxy listener that is exposed to the local network. But what if you’re on a public network and do not want to expose it? @heald_ben shows how to do that by using a Jailbroken iOS device, an Apple cable, iproxy, and SSH tunneling.
The second tutorial is an introduction to OAuth security. It includes a summary of how OAuth 2.0 works (specifically the Authorization Code Grant), and how to test for some common security issues. I love how everything is structured. It provides a good basis to expand upon each time a new attack is discovered.
PSW #652 – HTTP Security Headers In Action – Sven Morgenroth
Stealing Hashes without Admin via Internal Monologue – Practical Exploitation
Risky Business #584 — Nation-backed attackers own easyJet, jump airgaps, hack ports
Cyberpunks Episode 9 – Penetration testing with Abartan Dhakal & 10 – Attack Surfaces with Abartan Dhakal
Cyber Work Podcast – What’s new in Ethical Hacking: Latest careers, skills and certifications
SWN #35 – DEFCON Safe Mode, Ransomware Gangs, & SpaceX to ISS
SWN #36 – Danny Trejo, Animal Crossing, Contact Tracing, & SaltStack – Wrap Up
Naked Security Podcast S2 Ep 40: Demonic printers, a sleazy stalker and 10 reasons to patch
Discord Hangout: Practical OAuth Attacks & Practical OAuth Abuse for Offensive Operations – Part 1
ASC Webinars: CTFs and Bug Bounty Hunting and Their Relation To Professional Work – Ibrahim Mosaad
Who’s Your Hacker – Back on my Browser BBS Basic Browser Hacking- Charles “BSDBandit” Shirer
SANS webinars
Getting Started with Azure Automation DSC & Abusing Azure DSC — Remote Code Execution and Privilege Escalation
Web Security 101: An Interactive Cross-Site Request Forgery (CSRF) Demo
Offensive Operations in Active Directory – #0 Taming Kerberos and making it our loyal companion & #1 Scatter the (h)ashes…
15 years later: Remote Code Execution in qmail (CVE-2005-1513) #RCE
CVE-2020-11022/CVE-2020-11023: jQuery 3.5.0 Security Fix details & PoCs #Web
QNAP Pre-Auth Root RCE Affecting ~312K Devices on the Internet & Scanner #Web
Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET #Deserialisation
Docker Desktop for Windows PrivEsc (CVE-2020-11492) #Windows #PrivEsc
Abusing WebRTC to Reveal Coarse Location Data in Signal #WebRTC
Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access #Web
Parsing the DOM elements of Other pages via XSS: A Bug Bounty Story
Easy bounties with subdomain discovery – Using Project Sonar for bug bounty (Bpost, $100)
Multiple flaws leads to Account Takeover within an Application
From XSS To CSRF | One-click Authorized Access To Account Takeover
CVE-2020–1088 — Yet another arbitrary delete EoP (Microsoft)
Disclosure of the name of a program that has a private part with an external link (HackerOne, $500)
Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) (InnoGames, $1,100)
See more writeups on The list of bug bounty writeups.
CSTC, Modular HTTP Manipulator & Video tutorial: Cyber Security Transformation Chef, a Burp suite extension similar to CyberChef
Shotlooter: A recon tool that finds sensitive data inside the screenshots uploaded to prnt.sc
WEBSY & Introduction: Python tool for URL monitoring
JWTweak: CLI tool that detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm
Gitscraper: A tool which scrapes public github repositories for common naming conventions in variables, folders and files
Authentication Token Obtain and Replace (ATOR), Introduction – Part 1 & Part 2: Burp extension for handling complex login sequences
WeirdAAL & Update info: AWS Attack Library
CustomWordlistgenerator & Introduction: Python tool that takes a CMS repo/folder as input and generates a custom word-list based on its contents
Safecopy: Burp Extension for copying requests safely when reporting vulnerabilities. It redacts headers like Cookie, Authorization & X-CSRF-Token
H1 Report Finder: A burpsuite extension that helps security researchers find public security reports published on h1 based on the selected host
localdataHog: String-based secret-searching tool (high entropy and regexes) based on truffleHog
git-wild-hunt: A tool to hunt for credentials in github wild AKA git*hunt
Decompiler: A decompiler extension for VS Code, that leverages Ghidra, IDA Pro & JadX/JD-CLI/dex2jar
phpunit-brute: Tool to try multiple paths for PHPunit RCE CVE-2017-9841
Powerob: An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.
Scout: A .NET assembly for performing recon against hosts on a network
TerraGoat & Introduction: Vulnerable Terraform Infrastructure
NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack
Weaponizing AWS ECS Task Definitions to Steal Credentials From Running Containers
eBay port scans visitors’ computers for remote access programs & Stealing Secrets from Developers using Websockets & Reddit discussion
Abusing the osquery “curl” table for pivoting into cloud environments
New Unc0ver jailbreak released, works on all recent iOS versions
Hacker Days: Kubernetes from a Attacker’s Perspective: May 28
Verizon’s 2020 Data Breach Investigations Report & Daniel Miessler’s Analysis of the 2020 Verizon Data Breach Report
Smartphones, laptops, IoT devices vulnerable to new BIAS Bluetooth attack
NXNSAttack technique can be abused for large-scale DDoS attacks
Shielded web security flaws in QNAP storage devices finally released
Check Point released an open-source fix for common Linux memory corruption security hole
Ragnar Locker ransomware deploys virtual machine to dodge security
Hackers Say They Have Trump’s ‘Dirty Laundry’ and Want $42 Million to Keep It Secret
Hackers tried (and failed) to install ransomware using a zero-day in Sophos firewalls
Beer rating app reveals homes and identities of spies and military bods, warns Bellingcat
Mercedes-Benz onboard logic unit (OLU) source code leaks online
Microsoft: Here’s why we love programming language Rust and kicked off Project Verona
Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested
NSO Group Impersonates Facebook Security Team to Spread Spyware — Report
Senate Votes to Allow FBI to Look at Your Web Browsing History Without a Warrant
Windows 10 Defender’s hidden features revealed by this free tool
Dark web vendors feel the pinch as coronavirus lockdown restrictions impact underground operations
Hackers preparing to launch ransomware attacks against hospitals arrested in Romania
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 05/15/2020 to 05/22/2020.
Curated by Pentester Land & Sponsored by Intigriti